Key-Policy Attribute-Based Encryption for General Boolean Circuits from Secret Sharing and Multi-linear Maps

Abstract

We propose a Key-policy Attribute-based Encryption (KP-ABE) scheme for general Boolean circuits, based on secret sharing and on a very particular and simple form of leveled multi-linear maps, called chained multi-linear maps. The number of decryption key components is substantially reduced in comparison with the scheme in [7], and the size of the multi-linear map (in terms of bilinear map components) is less than the Boolean circuit depth, while it is quadratic in the Boolean circuit depth for the scheme in [7]. Moreover, the multiplication depth of the chained multi-linear map in our scheme can be significantly less than the multiplication depth of the leveled multi-linear map in the scheme in [7]. Selective security of the proposed scheme in the standard model is proved, under the decisional multi-linear Diffie-Hellman assumption.

Appendices

A Appendix 1

This appendix illustrates the Share and Recon procedures on the Boolean circuit in Fig. 1.

Fig. 2.

\(Share(y,\mathcal C)\)

Fig. 3.

\(Recon(\mathcal C,P,L,A,V_A)\), where \(A=\{2,5,7,8\}\), \(V_A(2)=g_2^{x_9a_2^{-1}s}\), \(V_A(5)=g_2^{x_{15}s}\), \(V_A(7)=g_2^{x_{10}s}\), and \(V_A(8)=g_2^{x_{14}s}\) (\(V_A\) is \(\bot \) for all the other values)

B Appendix 2

In this appendix we prove the security of our KP-ABE_Scheme.

Theorem 2

The KP-ABE_Scheme is secure in the selective model under the decisional MDH assumption.

Proof

It is sufficient to prove that for any adversary \(\mathcal A\) with an advantage \(\eta \) in the selective game for KP-ABE_Scheme, a PPT algorithm \(\mathcal B\) can be defined, with the advantage \(\eta /2\) over the decisional MDH problem. The algorithm \(\mathcal B\) plays the role of challenger for \(\mathcal A\) in the selective game for KP-ABE_Scheme. Taking into account that

1. 1.

   any leveled multilinear map \(\{e_{i,j}|i,j\ge 1,\ i+j\le k\}\) includes a chained multilinear map \((e_{i,1}|1\le i<k)\);

2. 2.

   if some PPT algorithm can decide the decisional MDH problem with chained multilinear map instances then it can decide, with at least the same advantage, the decisional MDH problem with leveled multilinear map instances,

we conclude that it is sufficient to give the algorithm \(\mathcal B\) a chained multilinear map instance of the decisional MDH problem consisting of \(r+2\) multiplicative groups \(G_1,\ldots ,G_{r+2}\) of the same prime order p, \(r+2\) generators \(g_1,\ldots ,g_{r+2}\) of these groups, respectively, \(r+1\) bilinear maps \(e_i:G_i\times G_1\rightarrow G_{i+1}\) such that \(e_i(g_i^a,g_1^b)=g_{i+1}^{ab}\) for all \(1\le i\le r+1\) and \(a,b\in \mathbb Z_p\), and the values \(g_1^s\), \(g_1^{c_1},\ldots ,g_1^{c_{r+2}}\), \(Z_0=g_{r+2}^{sc_1\cdots c_{r+2}}\), and \(Z_1=g_{r+2}^z\), where \(s,c_1,\ldots ,c_{r+2},z\) are chosen uniformly at random from \(\mathbb Z_p\).

Now, the algorithm \(\mathcal B\) runs \(\mathcal A\) acting as a challenger for it.

Init. Let A be a non-empty set of attributes the adversary \(\mathcal A\) wishes to be challenged upon.

Setup. \(\mathcal B\) chooses at random \(r_i\in \mathbb Z_p\) for all \(i\in \mathcal U\), and computes \(Y=g_{r+2}^{c_1\cdots c_{r+2}}\) and \(T_i=g_1^{t_i}\) for all \(i\in \mathcal U\), where

$$\begin{aligned} t_i={\left\{ \begin{array}{ll} r_i, &{} \text {if}\, i\in A \\ c_2r_i, &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

(\(\mathcal B\) can compute Y by using \(g_1^{c_1},\ldots ,g_1^{c_{r+2}}\) and \(e_1,\ldots ,e_{r+1}\), as well as \(T_i\) by using \(r_i\) and \(g_1^{c_2}\)). Then, \(\mathcal B\) publishes the public parameters

$$\begin{aligned} PP=(n,r,p,G_1,\ldots ,G_{r+2},g_1, e_1,\ldots ,e_{r+1}, Y,(T_i|i\in \mathcal U)) \end{aligned}$$

The choice of \(T_i\) in this way will be transparent in the next step.

Phase 1. The adversary is granted oracle access to the decryption key generation oracle for all queries \(\mathcal C\) with n input wires and r FANOUT-levels and \(\mathcal C(A) = 0\). Given such a query, the decryption key is computed by the following general methodology. First, the algorithm \(\mathcal B\) uses a procedure FakeShare which shares \(g_1^{c_1}\) by taking into account a set A of attributes and using FANOUT-level-keys based on \(g_1^{c_3},\ldots ,g_1^{c_{r+2}}\). Then, \(\mathcal B\) delivers decryption keys based on \(g_1^{c_2}\). Two requirements are to be fulfilled:

1. 1.

   from the adversary’s point of view, the secret sharing and distribution of decryption keys should look as in the original scheme;

2. 2.

   the reconstruction procedure Recon, starting from the decryption keys and an authorized set of attributes, should return \(g_{r+2}^{c_1\cdots c_{r+2}s}\).

In order to describe the procedure FakeShare we adopt the following notation: given a wire w of \(\mathcal C\), denote by \(\mathcal C_w(A)\) the truth value at w when the circuit \(\mathcal C\) is evaluated for A. The main idea in FakeShare is the following:

1. 1.

   if the output wire w of a logic gate \(\varGamma =(w_1,w_2,X,w)\) satisfies \(C_w(A)=0\), where X stands for “OR” or “AND”, then the value to be shared at this wire is of the form \(g_1^x\), for some \(x\in \mathbb Z_p\); otherwise, the value to be shared at this wire is an element \(x\in \mathbb Z_p\);

2. 2.

   the shares obtained by sharing the value associated to w, and distributed to the input wires of \(\varGamma \), should satisfy the same constraints as above. For instance, if \(C_{w_1}(A)=0\) and \(C_{w_2}(A)=1\), then the share distributed to \(w_1\) should be of the form \(g_1^{x_1}\) while the share distributed to \(w_2\) should be of the form \(x_2\);

3. 3.

   the same policy applies to FANOUT-gates as well.

The procedure FakeShare is as follows (for the sake of simplicity we adopt the convention \(a_{i_1}\cdots a_{i_u}=1=a_{i_1}^{-1}\cdots a_{i_u}^{-1}\) whenever \(i_1\cdots i_u\) is the empty sequence):

\(\underline{FakeShare(g_1^{c_1},g_1^{c_3}\ldots ,g_1^{c_{r+2}},\mathcal C,A)}\)

1. 1.

   Initially, all gates of \(\mathcal C\) are unmarked;

2. 2.

   Assuming that the FANOUT-levels in \(\mathcal C\) are \(h_1<\cdots <h_r\), we denote \(c_{j}\) by \(c'_{h_{j-2}}\), for all \(3\le j\le r+2\). The aim of this notation is just technical, in order to have a correspondence between the c’s and the FANOUT-levels (see below).

   Now, for each FANOUT-level i, \(0\le i<depth(\mathcal C)-2\), choose uniformly at random \(a_i\in \mathbb Z_p\) and assign \(L(i):=g_1^{a_ic'_i}\);

3. 3.

   \(S(o):=g_1^{c_1}\);

4. 4.

   If \(\varGamma =(w_1,w_2,OR,w)\) is an unmarked OR-gate and S(w) was defined, then mark \(\varGamma \) and do the followings:

   1. (a)

      compute \(i_1\cdots i_u\) and \(j_1\cdots j_v\) the left and right FANOUT-level sequences of \(\varGamma \), respectively;

   2. (b)

      if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\mathcal C_{w_2}(A)=0\), then \(S(w_1):=S(w)^{a_{i_1}^{-1}\cdots a_{i_u}^{-1}}\) and \(S(w_2):=S(w)^{a_{j_1}^{-1}\cdots a_{j_v}^{-1}}\);

   3. (c)

      if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\mathcal C_{w_2}(A)=1\), then \(S(w_1):=S(w)\cdot {a_{i_1}^{-1}\cdots a_{i_u}^{-1}}\) and \(S(w_2):=S(w)\cdot {a_{j_1}^{-1}\cdots a_{j_v}^{-1}}\);

   4. (d)

      if \(\mathcal C_w(A)=1=\mathcal C_{w_1}(A)\) and \(\mathcal C_{w_2}(A)=0\), then \(S(w_1):=S(w)\cdot {a_{i_1}^{-1}\cdots a_{i_u}^{-1}}\) and \(S(w_2):=g_1^{S(w)\cdot {a_{j_1}^{-1}\cdots a_{j_v}^{-1}}}\);

   5. (e)

      if \(\mathcal C_w(A)=1=\mathcal C_{w_2}(A)\) and \(\mathcal C_{w_1}(A)=0\), then \(S(w_1):=g_1^{S(w)\cdot {a_{i_1}^{-1}\cdots a_{i_u}^{-1}}}\) and \(S(w_2):=S(w)\cdot {a_{j_1}^{-1}\cdots a_{j_v}^{-1}}\).

   Remark that \(S(w)\in \mathbb Z_p\) in the cases (c), (d), and (e);

5. 5.

   If \(\varGamma =(w_1,w_2,AND,w)\) is an unmarked AND-gate and S(w) was defined, then mark \(\varGamma \) and do the followings:

   1. (a)

      compute \(i_1\cdots i_u\) the left FANOUT-level sequence of \(\varGamma \) and \(j_1\cdots j_v\) the right FANOUT-level sequence of \(\varGamma \);

   2. (b)

      choose \(x_1\) uniformly at random from \(\mathbb Z_p\);

   3. (c)

      if \(\mathcal C_w(A)=1\), then:

      1. i.

         compute \(x_2\) such that

         $$\begin{aligned} S(w)=(x_1 a_{i_1}\cdots a_{i_u} + x_2 a_{j_1}\cdots a_{j_v}) \, \text {mod}\, p; \end{aligned}$$
      2. ii.

         assign \(S(w_1):=x_1\) and \(S(w_2):=x_2\);

   4. (d)

      if \(\mathcal C_w(A)=0=\mathcal C_{w_2}(A)\) and \(\mathcal C_{w_1}(A)=1\) then assign \(S(w_1):=x_1\) and

      $$S(w_2)=\Big (S(w)/g_1^{x_1a_{i_1}\cdots a_{i_u}}\Big )^ {a_{j_1}^{-1}\cdots a_{j_v}^{-1}}$$
   5. (e)

      if \(\mathcal C_w(A)=0=\mathcal C_{w_1}(A)\) and \(\mathcal C_{w_2}(A)=1\) then do as above by switching \(w_1\) and \(w_2\);

   6. (f)

      if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\mathcal C_{w_2}(A)=0\) then \(S(w_1):=g_1^{x_1}\) and \(S(w_2)\) is computed as in the case (d);

6. 6.

   If \(\varGamma =(w,FANOUT,w_1,\ldots ,w_j)\) is an unmarked FANOUT-gate and \(S(w_i)\) was defined for all \(1\le i\le j\), then mark \(\varGamma \) and do the followings:

   1. (a)

      choose uniformly at random \(x\in \mathbb Z_p\);

   2. (b)

      if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\cdots =\mathcal C_{w_j}(A)=1\) then \(S(w):=x\) and

      $$\begin{aligned} P(w_i):=g_1^{c'_{level(\varGamma )}S(w_i)x^{-1}} \end{aligned}$$

      for all \(1\le i\le j\);

   3. (c)

      if \(\mathcal C_w(A)=\mathcal C_{w_1}(A)=\cdots =\mathcal C_{w_j}(A)=0\) then \(S(w):=g_1^{c'_{level(\varGamma )}x}\) and \(P(w_i):=S(w_i)^{x^{-1}}\), for all \(1\le i\le j\);

7. 7.

   repeat the last three steps above until all gates get marked.

Let \((S,P,L)\leftarrow FakeShare(g_1^{c_1},g_1^{c_3},\ldots ,g_1^{c_{r+2}},\mathcal C,A)\). The algorithm \(\mathcal B\) delivers to \(\mathcal A\) the decryption key \(D=((D(i)|i\in \mathcal U),P,L)\), where

$$\begin{aligned} D(i)=\left\{ \begin{array}{ll} (g_1^{c_2})^{S(i)/r_i}, &{} \text {if}\ i\in A \\ S(i)^{1/r_i}, &{}\, \text {if }\, i\not \in A \end{array} \right. \end{aligned}$$

for any \(i\in \mathcal U\). The key component D(i) is of the form \(g_1^{y_{i}/r_i}=g_1^{c_2y_{i}/c_2r_i}\) for all \(i\not \in A\) (for some \(y_{i}\in \mathbb Z_p\)) because the shares of \(i\not \in A\) are all powers of \(g_1\) (remark that \(C_i(A)=0\)).

The distribution of this decryption key is identical to that in the original scheme. Moreover, it is straightforward to see that the reconstruction procedure Recon, applied to \(V_A(i)=g_2^{S(i)c_2s}\) for all \(i\in A\), where A is an authorized set, returns \(g_{r+2}^{c_1\cdots c_{r+2}s}\). Indeed, in the reconstruction process each FANOUT-level \(h_j\) changes the generator (by applying a bilinear map) and multiplies the exponent by \(c'_{h_j}\). As \(c_3\cdots c_{r+2}=c'_{h_1}\cdots c'_{h_r}\), the claim follows.

Challenge. The adversary \(\mathcal A\) selects two messages \(m_0\) and \(m_1\) (of the same length) and sends them to \(\mathcal B\). The algorithm \(\mathcal B\) encrypts \(m_{u}\) with \(Z_v\), where \(u\leftarrow \{0,1\}\), and sends it back to the adversary (recall that \(Z_v\) was randomly chosen from \(\{Z_0,Z_1\}\)). The ciphertext is

$$\begin{aligned} E=(A,E'=m_{u}Z_v,\{E_i=T_{i}^{s}=g_1^{sr_i}\}_{i\in A}) \end{aligned}$$

If \(v=0\), E is a valid encryption of \(m_u\); if \(v=1\), \(E'\) is a random element from \(G_2\).

Phase 2. The adversary may receive again oracle access to the decryption key generation oracle (with the same constraint as in Phase 1).

Guess. Let \(u'\) be the guess of \(\mathcal A\). If \(u'=u\), then \(\mathcal B\) outputs \(v'=0\); otherwise, it outputs \(v'=1\).

We compute now the advantage of \(\mathcal B\). Clearly,

$$\begin{aligned} P(v'=v)-\frac{1}{2} = P(v'=v|v=0)\cdot P(v=0)+P(v'=v|v=1)\cdot P(v=1)-\frac{1}{2} \end{aligned}$$

Both \(P(v=0)\) and \(P(v=1)\) are 1/2. Then, remark that

$$\begin{aligned} P(v'=v|v=0)=P(u'=u|v=0)=\frac{1}{2}+\eta \end{aligned}$$

and \(P(v'=v|v=1)=P(u'\not =u|v=1)=\frac{1}{2}\). Putting all together we obtain that the advantage of \(\mathcal B\) is \(P(v'=v)-\frac{1}{2}=\frac{1}{2}\eta \). \(\quad \square \)